git.ipfire.org Git - thirdparty/bind9.git/commit

author	Diego Fronza <diego@isc.org>
	Tue, 9 Jun 2020 23:45:21 +0000 (20:45 -0300)
committer	Diego Fronza <diego@isc.org>
	Mon, 27 Jul 2020 20:02:16 +0000 (17:02 -0300)
commit	a8ce7b461ce05e0ff036bf9dae5f9afe23a8b770
tree	c583fdaadce2e7adc6d94eb6156e4091a22f4ec4	tree \| snapshot
parent	6720ba83355cc263425ef8ce2d1c2e6f6fa37bde	commit \| diff

Fix rpz wildcard name matching

Whenever an exact match is found by dns_rbt_findnode(),
the highest level node in the chain will not be put into
chain->levels[] array, but instead the chain->end
pointer will be adjusted to point to that node.

Suppose we have the following entries in a rpz zone:
example.com CNAME rpz-passthru.
*.example.com CNAME rpz-passthru.

A query for www.example.com would result in the
following chain object returned by dns_rbt_findnode():

chain->level_count = 2
chain->level_matches = 2
chain->levels[0] = .
chain->levels[1] = example.com
chain->levels[2] = NULL
chain->end = www

Since exact matches only care for testing rpz set bits,
we need to test for rpz wild bits through iterating the nodechain, and
that includes testing the rpz wild bits in the highest level node found.

In the case of an exact match, chain->levels[chain->level_matches]
will be NULL, to address that we must use chain->end as the start point,
then iterate over the remaining levels in the chain.